hardware specific infection route analysis

[Cerber]

It may be the wrong place to ask this question, but...

I do have an Windows 7 operating system that boots under loading the wrong driver signatures; it doesn't display anything but a black screen and the mouse cursor. 

I have scanned it by Immunet while it was attached via an USB adapter, but there only were three files detected as viruses (pretty much false positives). 

I'm not exactly sure where the malware resides, but I'm pretty sure it's not within your database. 

Since the typical malware reports only allow for small malicious files to be attached, my question is: do you accept physical shipping of entire hard drives? 

Is there a chance that in the future, there will be a bounties program for shipping malware unrecognized by the databases? 

I could provide some additional feedback regarding the issue I'm (not) having if you were interested in analysis, but ever since the malware infection symptoms were present even after installing an operating system on a fresh drive, I conclude that I have got some mobo specific trojan that is partially persistent even after updating the BIOS; and it seems that it was communicating with the OS layer and later the botnet, through an Intel's ME. 

I guess it also fits in the ideas section, but what I want to know is: how do I send an entire hard drive for malware analysis, and why isn't buyback of contaminated hardware already a trend (I'm talking to you, Intel)? 

 

[John Graham]

Hi, I'm not a moderator but I have had this problem with computers that I manage and friend's computers with Windows OS 7 Pro (and 8/10).

The best method is to do a complete OFFLINE backup (I would recommend Clonezilla Live - https://clonezilla.org/downloads.php) that could restore your computer (with or without bots/malware/etc) in case something goes wrong. If you are unfamiliar with doing image backups, please read the documentation but it is simple and self explanatory (Basically: Boot from Live CD or USB, follow prompts, choose defaults, use a large enough external USB HDD to store all your HDD(s) - and presto you have an image of your computer that you can restore again. It will take time so be patient).

Download and burn CDs or DVDs (as the case may be for the following OFFLINE malware scan/detect/repair programs (I have included the ones I have used in the past with success but there could be a lot more). the list is in alphabetical order - not as recommended.

Comodo Rescue Disc - https://www.comodo.com/business-security/network-protection/rescue-disk.php

Dr Web Live Disc - https://free.drweb.com/aid_admin/

ESET SysRescue Live - https://www.eset.com/us/download/tools-and-utilities/sysrescue/#c29308

Kaspersky Rescue disc and USB - https://support.kaspersky.com/14226

Trend Micro Rescue Disc - https://downloadcenter.trendmicro.com/index.php?regs=nabu&prodid=1654

Windows Defender Offline - https://support.microsoft.com/en-us/windows/help-protect-my-pc-with-microsoft-defender-offline-9306d528-64bf-4668-5b80-ff533f183d6c

Notes:

(1) All the Live disks/USBs you boot from will need your computer to be on the internet so they can download and update their signature database. The database will be in memory so it will be lost (when you power down your computer) as there is no "persistence", the Live disks/USB will not write to your computer disk(s).

(2) Some sites have a USB download as well but you can convert the *.iso (Live disc download) to a bootable USB with Rufus - https://rufus.ie/en/  has both an installer and a portable version - please see documentation on the Rufus site. In addition, all the links above have documentation on creating a bootable USB (since some of the USB downloads are an "image" file)

(3) Please download from the manufacturer site ONLY - don't do a google/DDG search and download form any other site. CHECK the downloaded file with it's published manufacturer signature (example for the Trend Micro Rescue Disc:

Filename: RescueDisk.exe
SHA256 checksum: e8db68a87cf9646cdb4ae4546b54b0a7c058fa51d423b7db473bac84a88e7ff4

You don't want to introduce other malware into your already compromised computer!

(4) All the download urls above have documentation links - please read them!

Example - for ESET SysRescue Live - https://support.eset.com/en/kb3509-how-do-i-use-eset-sysrescue-live-to-clean-my-computer?page=content&id=SOLN3509

(5) There are other Offline malware Rescue Discs/USBs (like Norton Rescue Disk or F-Secure, but they will not update their virus signatures so are significantly worthless). You also pay for having a GUI interface by a large download. I have not included Avira and AVG rescue Discs/USBs for their bloat (large) downloads. There are other smaller excellent offline sys rescue discs/USBs but they are all CLI (Command Line Interface) - so you may not be comfortable with them unless you are an oldtimer (like me) when there were only mainframes around and the PC wasn't even though about!

(6) All of the GUIs have options for a "Smart Scan", "Full Scan" and "Custom Scan" - use the full scan, even though it will take time.

(7) Use multiple Rescue Discs/USBs since some will not detect ALL malware (That's why I use an IDS/HIPS - a virus scan is like locking the barn door after the horse has bolted/stolen - it depends on having detection signatures - and the best of heuristics are only guesses! But IDS/HIPS is another topic!)

Hope this helps in getting you up and running again. REMEMBER - always have a current FULL backup before you install a new program or just get into the habit of doing a regular (image) backup.